Anticipating the Unknown

Its been one of the dirty little secrets of the security industry for years: Software patches dont work.
Its not that they dont fix the problems that theyre designed to solve; they do. Despite technical problems with some patches, most notably regression errors and incompatibility issues in patches from Microsoft Corp. and others, hot fixes hit their targets.

The real problem, as most administrators or competent crackers can attest, is that so few network administrators regularly apply patches that the fixes are all but irrelevant. The reasons are many, but the two most serious issues are the lack of time to download, test and apply the patches and the sheer number of vulnerabilities affecting popular software packages. Combined, these problems leave a playing field rife with unprotected servers and desktops just waiting to be attacked.

Software vendors, large and small, have spent considerable time and money trying to address this problem. Microsoft has developed several automated tools that simplify and accelerate the process of downloading, disseminating and applying patches. And a new crop of companies, most notably Citadel Security Systems Inc., are developing automated vulnerability assessment and remediation tools for the enterprises.
But none of these solutions can change the fact that patches are by nature a reactive response. You have to wait until the problem is known to get the fix. And with crackers working overtime to find and exploit unknown vulnerabilities, thats more often than not a losing proposition.
As a result, several security companies are rolling out advanced technologies that are designed to not only react to and block incoming known threats but to anticipate and mitigate unknown attacks as well.
"Its been kind of the missing link in this industry for a long time," said Chris Klaus, founder and chief technology officer at Internet Security Systems Inc., in Atlanta. "Patch management isnt working. We just use vulnerability detection as a feedback loop in threat detection and assessment to find out where are you not protected."
ISS recently announced a strategy and solution set called Dynamic Threat Protection, which combines a host of technologies and applications to provide real-time analysis of network traffic to identify and react to unknown threats.
The linchpin of the new strategy is RealSecure Site Protector 2.0. The new version brings all the security capabilities in a given network under one command-and-control system. It relies on RealSecure agents on each protected machinefrom servers to desktops to laptopsand uses a single policy management component for the entire system.
Site Protector is closely tied to the new release of ISS Fusion, which now uses intelligence from ISS X-Force research team to instantly analyze and correlate incoming threat information. That data is then mapped against vulnerabilities found in the network to provide a real-time view of the effect of the attack.
ISS is not alone in pursuing this strategy. Mazu Networks Inc., of Cambridge, Mass., has unveiled a platform called PowerSecure that is aimed at identifying anomalous network events through detailed traffic analysis. The system is deployed across a given network and records information about each network connection over a period of time. It uses this data to establish a profile of what the normal volume and nature is of the traffic on each connection.
The system then compares real-time traffic against the historical to identify anomalous traffic. Mazu began life in the aftermath of the DDoS (distributed-denial-of-service) attacks that hit a number of high-profile Web sites three years ago. It has since adapted its technology to not only defend against DDoS attacks but also to mitigate a wide range of network events.
Other companies, including Okena Inc. and Entercept Security Technologies Inc., are going down this road as well. Entercepts technology, like ISS, can intercept operating system calls to head off malicious behavior before the operations are executed.
"This is a part of the evolution of security technologies. Its a natural next step," said Matthew Kovar, an analyst at The Yankee Group, in Boston.
ISS new strategy uses the X-Forces intelligence to create updates called "virtual patches," which can prevent malicious activity and unwanted behavior on a machine until a vendor patch is available. The updates are pushed to all the RealSecure agents on the protected machines.
"The key is, patches are so risky to applications. Theyre too expensive and too risky," said Chris Rouland, X-Force director. "Any new PC or server you roll out is immediately at risk until you download all the patches. Our model is risk-averse. We want to limit knee-jerk reactions to new threats by allowing some flexibility in the process."
The virtual patches use several methods to prevent attacks, including automatically blocking access to targeted services. And they have the added appeal of not changing the underlying applications, the way that vendor-provided software patches often do.
"It gives you the same protection level as a patch without really changing the system," ISS Klaus said. "Were investing in a lot of technology to detect unknown attacks, but anyone who tells you they can stop everything is selling snake oil."